Starting in late July 2015 there was a noticeable drop in the DNS-based DDoS activity that Nominum Data Science has been tracking for the last 18 months. As reported earlier, the beginning of 2015 saw a tactics change from large periodic bursts that attracted lots of attention at the end of 2014, to steadier traffic that took down targets with measured efficiency.
In late July there was another large drop in the volume of queries with randomized labels. What’s interesting is they were immediately replaced with queries without randomized subdomains. For instance 40 million queries per hour for jihyouxi.com (no random leftmost label) were observed on a single provider network. By comparison only 8M queries for google.com were observed in the same hour on the same network. Other names were attacked in a similar way over a few weeks.
Resolver data evaluated by Nominum Data Science offers a unique view of this kind of activity. Because the queries were for legitimate domain names, answers were cached so authoritative servers would not see the large sustained volumes of attack queries. Authoritative servers could also be attacked directly but the research team did not see evidence of this in the form of slow or no responses from authoritative servers under attack.
Cached answers also reduce the processing burden on resolvers since they can respond without recursion. Although NXD answers to randomized queries are also cached because each query is unique the cached entry is never used (another adverse impact of random subdomain attacks on resolvers is the cache grows rapidly). Net, even moderately informed attackers would recognize the effectiveness of their exploit was greatly diminished without randomized labels since the burden on authoritative servers is greatly reduced.
It seems probable the attackers made a change to their infrastructure that inadvertently brought about this result. Oddly, it took them a few weeks to figure it out – a clear lapse on the part of the attackers – perhaps out on holiday? Alas, the break was relatively short lived, by mid-August “normal” randomized queries, and the burden they impose, reappeared. As a side note other kinds of attack activity were present during this lull, some regionally directed (Asia continues to be hard hit), and some thought to be experimental.